Protecting a vPBX from DOS attacks

Here’s a set of basic iptables rules to protect a virtual PBX host from SIP REGISTER and SSH attacks.

UPD 20141218: now filtering all SIP packets, and in ipv6 as well

apt-get install -y iptables-persistent

#####  IPv4 rules #####
iptables -N dos-filter-sip-external

iptables -A INPUT -p udp -m udp --dport 5060 \
-j dos-filter-sip-external

iptables -A INPUT -p tcp -m tcp --dport 5060 \
-j dos-filter-sip-external

iptables -A INPUT -p udp -m udp --dport 5080 \
-j dos-filter-sip-external

iptables -A dos-filter-sip-external \
-m hashlimit --hashlimit 5/sec \
--hashlimit-burst 30 --hashlimit-mode srcip \
--hashlimit-name SIPMSG --hashlimit-htable-size 24593 \
--hashlimit-htable-expire 90000 -j RETURN

iptables -A dos-filter-sip-external -j \
REJECT --reject-with icmp-admin-prohibited

iptables -N dos-filter-ssh

iptables -I INPUT -p tcp -m tcp --dport 22 \
--tcp-flags FIN,SYN,RST,ACK SYN -j dos-filter-ssh

iptables -A dos-filter-ssh -m hashlimit --hashlimit 3/min \
--hashlimit-burst 10 --hashlimit-mode srcip,dstip \
--hashlimit-name ssh_hash --hashlimit-htable-expire 60000 \
-j ACCEPT

iptables -A dos-filter-ssh -j DROP

iptables-save > /etc/iptables/rules.v4

#####  IPv6 rules #####

ip6tables -N dos-filter-sip-external

ip6tables -A INPUT -p udp -m udp --dport 5060 \
-j dos-filter-sip-external

ip6tables -A INPUT -p tcp -m tcp --dport 5060 \
-j dos-filter-sip-external

ip6tables -A INPUT -p udp -m udp --dport 5080 \
-j dos-filter-sip-external

ip6tables -A dos-filter-sip-external \
-m hashlimit --hashlimit 5/sec \
--hashlimit-burst 30 --hashlimit-mode srcip \
--hashlimit-name SIPMSG --hashlimit-htable-size 24593 \
--hashlimit-htable-expire 90000 -j RETURN

ip6tables -A dos-filter-sip-external -j \
REJECT --reject-with icmp6-adm-prohibited

ip6tables -N dos-filter-ssh

ip6tables -I INPUT -p tcp -m tcp --dport 22 \
--tcp-flags FIN,SYN,RST,ACK SYN -j dos-filter-ssh

ip6tables -A dos-filter-ssh -m hashlimit --hashlimit 3/min \
--hashlimit-burst 10 --hashlimit-mode srcip,dstip \
--hashlimit-name ssh_hash --hashlimit-htable-expire 60000 \
-j ACCEPT

ip6tables -A dos-filter-ssh -j DROP

ip6tables-save > /etc/iptables/rules.v6
Advertisements

, , ,

  1. #1 by Fred on April 24, 2014 - 5:20 pm

    “…-m udp…” is not valid. You will not get an error but IPTABLES will just ignore that part.

    • #2 by txlab on April 28, 2014 - 7:21 am

      I checked the manpage, and it is indeed a valid option. You can see extra parameters if you enter “iptables -m udp -h”

  2. #3 by Fred on April 24, 2014 - 9:47 pm

    I haven’t tried the rest. I think if you just remove that it’s ok.

  3. #4 by unicsolution on March 13, 2015 - 5:37 am

    This will monitor all SIP request and not just registration correct?

    • #5 by txlab on March 13, 2015 - 7:26 am

      yes. Initial version filtered REGISTER messages only, and now it applies to all SIP messages.

  4. #6 by Ed Sweazy on April 2, 2016 - 3:40 pm

    Thank you so much for this How-To , my pbx sip server was being hammered by a sipvicious attack! I try to block with source ip within Linux firewall but every 5 minutes was hit with a new ip address. I installed iptables-persistent with the iptables rules provided and was able to stop the attack dead in its tracks!!!
    YOU GUYS ARE AWESOME, THANKS A MILLION!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: